appsembler · shadinaif · Mar 17, 2022 · Feb 14, 2019 · Aug 22, 2018 · Sep 20, 2018
diff --git a/common/djangoapps/third_party_auth/pipeline.py b/common/djangoapps/third_party_auth/pipeline.py
@@ -69,6 +69,7 @@ def B(*args, **kwargs):
 import analytics
 from django.conf import settings
 from django.contrib.auth.models import User
+from django.contrib.auth import logout
 from django.core.mail.message import EmailMessage
 from django.urls import reverse
 from django.http import HttpResponseBadRequest
@@ -81,6 +82,8 @@ def B(*args, **kwargs):
 import student
 from edxmako.shortcuts import render_to_string
 from eventtracking import tracker
+
+from util.json_request import JsonResponse
 from openedx.core.djangoapps.site_configuration import helpers as configuration_helpers
 from third_party_auth.utils import user_exists
 from lms.djangoapps.verify_student.models import SSOVerification
@@ -658,6 +661,10 @@ def set_logged_in_cookies(backend=None, user=None, strategy=None, auth_entry=Non
     """
     if not is_api(auth_entry) and user is not None and user.is_authenticated:
         request = strategy.request if strategy else None
+        if not user.has_usable_password():
+            msg = "Your account is disabled"
+            logout(request)
+            return JsonResponse(msg, status=403)
         # n.b. for new users, user.is_active may be False at this point; set the cookie anyways.
         if request is not None:
             # Check that the cookie isn't already set.

diff --git a/common/lib/xmodule/xmodule/backcompat_module.py b/common/lib/xmodule/xmodule/backcompat_module.py
@@ -7,6 +7,8 @@
 
 from lxml import etree
 
+from openedx.core.djangolib.markup import Text
+
 from .x_module import XModuleDescriptor
 
 log = logging.getLogger(__name__)
@@ -72,8 +74,8 @@ def from_xml(cls, xml_data, system, id_generator):
         the child element
         """
         xml_object = etree.fromstring(xml_data)
-        system.error_tracker("WARNING: the <{0}> tag is deprecated.  Please do not use in new content."
-                             .format(xml_object.tag))
+        system.error_tracker(Text("WARNING: the <{tag=}> tag is deprecated.  Please do not use in new content.")
+                             .format(tag=xml_object.tag))
 
         if len(xml_object) == 1:
             for (key, val) in xml_object.items():
@@ -96,8 +98,8 @@ def from_xml(cls, xml_data, system, id_generator):
         """
 
         xml_object = etree.fromstring(xml_data)
-        system.error_tracker('WARNING: the <{tag}> tag is deprecated.  '
-                             'Instead, use <customtag impl="{tag}" attr1="..." attr2="..."/>. '
+        system.error_tracker(Text('WARNING: the <{tag}> tag is deprecated.  '
+                             'Instead, use <customtag impl="{tag}" attr1="..." attr2="..."/>. ')
                              .format(tag=xml_object.tag))
 
         tag = xml_object.tag

diff --git a/common/lib/xmodule/xmodule/js/fixtures/imageinput.underscore b/common/lib/xmodule/xmodule/js/fixtures/imageinput.underscore
@@ -2,33 +2,33 @@
 <!-- ${width}  = 300   -->
 <!-- ${height} = 400   -->
 
-<div class="imageinput capa_inputtype" id="inputtype_<%=id%>">
+<div class="imageinput capa_inputtype" id="inputtype_<%-id%>">
     <input
         type="hidden"
         class="imageinput"
         src=""
-        name="input_<%=id%>"
-        id="input_<%=id%>"
+        name="input_<%-id%>"
+        id="input_<%-id%>"
         value=""
     />
 
     <div style="position:relative;">
         <div
-            id="imageinput_<%=id%>"
-            style="width: <%=width%>px; height: <%=height%>px; position: relative; left: 0; top: 0; visibility: hidden;"
+            id="imageinput_<%-id%>"
+            style="width: <%-width%>px; height: <%-height%>px; position: relative; left: 0; top: 0; visibility: hidden;"
         >
             <!-- image will go here -->
         </div>
-        <div id="answer_<%=id%>" data-width="100" data-height="100"></div>
+        <div id="answer_<%-id%>" data-width="100" data-height="100"></div>
     </div>
 
 
     <!-- status == 'unsubmitted' -->
         <span
             class="unanswered"
             style="display: inline-block;"
-            id="status_<%=id%>"
-            aria-describedby="input_<%=id%>"
+            id="status_<%-id%>"
+            aria-describedby="input_<%-id%>"
         >
             <span class="sr">Status: unanswered</span>
         </span>

diff --git a/common/lib/xmodule/xmodule/js/src/video/04_video_control.js b/common/lib/xmodule/xmodule/js/src/video/04_video_control.js
@@ -154,7 +154,7 @@
                 var endTime = (this.config.endTime !== null) ? this.config.endTime : params.duration;
                 // in case endTime is accidentally specified as being greater than the video
                 endTime = Math.min(endTime, params.duration);
-                this.videoControl.vidTimeEl.html(Time.format(params.time) + ' / ' + Time.format(endTime));
+                this.videoControl.vidTimeEl.text(Time.format(params.time) + ' / ' + Time.format(endTime));
             }
         }
     );

diff --git a/common/static/js/capa/chemical_equation_preview.js b/common/static/js/capa/chemical_equation_preview.js
@@ -3,9 +3,16 @@
         function create_handler(saved_div) {
             return (function(response) {
                 if (response.error) {
-                    saved_div.html("<span class='error'>" + response.error + '</span>');
+                    edx.HtmlUtils.setHtml(
+                        saved_div,
+                        edx.HtmlUtils.joinHtml(
+                            edx.HtmlUtils.HTML("<span class='error'>"),
+                            response.error,
+                            edx.HtmlUtils.HTML('</span>')
+                        )
+                    );
                 } else {
-                    saved_div.html(response.preview);
+                    saved_div.html(edx.HtmlUtils.HTML(response.preview).toString());
                 }
             });
         }

diff --git a/common/static/js/capa/drag_and_drop/targets.js b/common/static/js/capa/drag_and_drop/targets.js
@@ -1,5 +1,5 @@
 (function(requirejs, require, define) {
-    define([], function() {
+    define(['edx-ui-toolkit/js/utils/html-utils'], function(HtmlUtils) {
         return {
             initializeBaseTargets: initializeBaseTargets,
             initializeTargetField: initializeTargetField,
@@ -76,17 +76,19 @@
             }
 
             $targetEl = $(
-            '<div ' +
-                'style=" ' +
-                    'display: block; ' +
-                    'position: absolute; ' +
-                    'width: ' + obj.w + 'px; ' +
-                    'height: ' + obj.h + 'px; ' +
-                    'top: ' + obj.y + 'px; ' +
-                    'left: ' + obj.x + 'px; ' +
-                    borderCss +
-                '" ' +
-            'aria-dropeffect=""></div>'
+                HtmlUtils.joinHtml(
+                    HtmlUtils.HTML('<div style="display: block; position: absolute; width: '),
+                    obj.w,
+                    HtmlUtils.HTML('px; height: '),
+                    obj.h,
+                    HtmlUtils.HTML('px; top: '),
+                    obj.y,
+                    HtmlUtils.HTML('px; left: '),
+                    obj.x,
+                    HtmlUtils.HTML('px; '),
+                    borderCss,
+                    HtmlUtils.HTML('"aria-dropeffect=""></div>')
+                ).toString()
         );
             if (fromTargetField === true) {
                 $targetEl.appendTo(draggableObj.iconEl);
@@ -100,23 +102,17 @@
 
             if (state.config.onePerTarget === false) {
                 $numTextEl = $(
-                '<div ' +
-                    'style=" ' +
-                        'display: block; ' +
-                        'position: absolute; ' +
-                        'width: 24px; ' +
-                        'height: 24px; ' +
-                        'top: ' + obj.y + 'px; ' +
-                        'left: ' + (obj.x + obj.w - 24) + 'px; ' +
-                        'border: 1px solid black; ' +
-                        'text-align: center; ' +
-                        'z-index: 500; ' +
-                        'background-color: white; ' +
-                        'font-size: 0.95em; ' +
-                        'color: #009fe2; ' +
-                    '" ' +
-                '>0</div>'
-            );
+                    HtmlUtils.joinHtml(
+                        HtmlUtils.HTML('<div style=" display: block; position: absolute;'),
+                        HtmlUtils.HTML('width: 24px; height: 24px; top: '),
+                        obj.y,
+                        HtmlUtils.HTML('px; left: '),
+                        obj.x,
+                        obj.w - 24,
+                        HtmlUtils.HTML('px; border: 1px solid black; text-align: center; z-index: 500;'),
+                        HtmlUtils.HTML('background-color: white; font-size: 0.95em; color: #009fe2; ">0</div>')
+                    ).toString()
+                );
             } else {
                 $numTextEl = null;
             }
@@ -263,7 +259,7 @@
 
         function updateNumTextEl() {
             if (this.numTextEl !== null) {
-                this.numTextEl.html(this.draggableList.length);
+                this.numTextEl.text(this.draggableList.length);
             }
         }
     }); // End-of: define([], function () {

diff --git a/lms/djangoapps/support/static/support/templates/manage_user.underscore b/lms/djangoapps/support/static/support/templates/manage_user.underscore
@@ -32,7 +32,7 @@
         <td><% print(user_profile.get('status')) %></td>
         <td>
           <button class="disable-account-btn">
-            <%- gettext('Disable Account') %>
+            <%- gettext('Toggle Account Password (Usable/Unusable)') %>
           </button>
         </td>
       </tr>

diff --git a/lms/djangoapps/support/views/manage_user.py b/lms/djangoapps/support/views/manage_user.py
@@ -13,8 +13,11 @@
 from edxmako.shortcuts import render_to_response
 from lms.djangoapps.support.decorators import require_support_permission
 from openedx.core.djangoapps.user_api.accounts.serializers import AccountUserSerializer
+from openedx.core.djangoapps.user_api.accounts.utils import generate_password
 from util.json_request import JsonResponse
 
+from openedx.core.djangolib.oauth2_retirement_utils import retire_dot_oauth2_models
+
 
 class ManageUserSupportView(View):
     """
@@ -64,7 +67,17 @@ def post(self, request, username_or_email):
         user = get_user_model().objects.get(
             Q(username=username_or_email) | Q(email=username_or_email)
         )
-        user.set_unusable_password()
+        if user.has_usable_password():
+            user.set_unusable_password()
+            retire_dot_oauth2_models(request.user)
+        else:
+            user.set_password(generate_password(length=25))
         user.save()
-        password_status = _('Usable') if user.has_usable_password() else _('Unusable')
-        return JsonResponse({'success_msg': _('User Disabled Successfully'), 'status': password_status})
+
+        if user.has_usable_password():
+            password_status = _('Usable')
+            msg = _('User Enabled Successfully')
+        else:
+            password_status = _('Unusable')
+            msg = _('User Disabled Successfully')
+        return JsonResponse({'success_msg': msg, 'status': password_status})
diff --git a/lms/static/js/components/header/views/header.js b/lms/static/js/components/header/views/header.js
@@ -3,26 +3,33 @@
  */
 (function(define) {
     'use strict';
-    define(['backbone', 'text!templates/components/header/header.underscore'],
-           function(Backbone, headerTemplate) {
-               var HeaderView = Backbone.View.extend({
-                   initialize: function(options) {
-                       this.template = _.template(headerTemplate);
-                       this.headerActionsView = options.headerActionsView;
-                       this.listenTo(this.model, 'change', this.render);
-                       this.render();
-                   },
+    define([
+        'backbone',
+        'text!templates/components/header/header.underscore',
+        'edx-ui-toolkit/js/utils/html-utils'
+    ],
+    function(Backbone, headerTemplate, HtmlUtils) {
+        var HeaderView = Backbone.View.extend({
+            initialize: function(options) {
+                this.template = HtmlUtils.template(headerTemplate);
+                this.headerActionsView = options.headerActionsView;
+                this.listenTo(this.model, 'change', this.render);
+                this.render();
+            },
 
-                   render: function() {
-                       var json = this.model.attributes;
-                       this.$el.html(this.template(json));
-                       if (this.headerActionsView) {
-                           this.headerActionsView.setElement(this.$('.page-header-secondary')).render();
-                       }
-                       return this;
-                   }
-               });
+            render: function() {
+                var json = this.model.attributes;
+                HtmlUtils.setHtml(
+                    this.$el,
+                    this.template(json)
+                );
+                if (this.headerActionsView) {
+                    this.headerActionsView.setElement(this.$('.page-header-secondary')).render();
+                }
+                return this;
+            }
+        });
 
-               return HeaderView;
-           });
+        return HeaderView;
+    });
 }).call(this, define || RequireJS.define);
diff --git a/lms/static/js/course_survey.js b/lms/static/js/course_survey.js
@@ -23,22 +23,25 @@ $(function() {
         var cancel_submit = false;
 
         $inputs.each(function() {
+            var val, fieldLabel;
             /* see if it is a required field and - if so - make sure user presented all information */
             if (typeof $(this).attr('required') !== typeof undefined) {
-                var val = $(this).val();
+                val = $(this).val();
                 if (typeof(val) === 'string') {
                     if (val.trim().length === 0) {
-                        var field_label = $(this).parent().find('label');
+                        fieldLabel = $(this).parent().find('label');
                         $(this).parent().addClass('field-error');
-                        $('.status.message.submission-error .message-copy').append("<li class='error-item'>" + field_label.text() + '</li>');
+                        // eslint-disable-next-line max-len
+                        $('.status.message.submission-error .message-copy').append(edx.HtmlUtils.joinHtml(edx.HtmlUtils.HTML("<li class='error-item'>"), fieldLabel.text(), edx.HtmlUtils.HTML('</li>')).toString());
                         cancel_submit = true;
                     }
                 } else if (typeof(val) === 'object') {
                     /* for SELECT statements */
                     if (val === null || val.length === 0 || val[0] === '') {
-                        var field_label = $(this).parent().find('label');
+                        fieldLabel = $(this).parent().find('label');
                         $(this).parent().addClass('field-error');
-                        $('.status.message.submission-error .message-copy').append("<li class='error-item'>" + field_label.text() + '</li>');
+                        // eslint-disable-next-line max-len
+                        $('.status.message.submission-error .message-copy').append(edx.HtmlUtils.joinHtml(edx.HtmlUtils.HTML("<li class='error-item'>"), fieldLabel.text(), edx.HtmlUtils.HTML('</li>')).toString());
                         cancel_submit = true;
                     }
                 }
@@ -70,7 +73,7 @@ $(function() {
         json = $.parseJSON(jqXHR.responseText);
         $('.status.message.submission-error').addClass('is-shown').focus();
         $('.status.message.submission-error .message-copy').
-            html(gettext('There has been an error processing your survey.')).
+            text(gettext('There has been an error processing your survey.')).
             stop().
             css('display', 'block');
     });

diff --git a/lms/static/js/customwmd.js b/lms/static/js/customwmd.js
@@ -201,8 +201,8 @@ Mostly adapted from math.stackexchange.com: http://cdn.sstatic.net/js/mathjax-ed
                               .append($("<textarea>")
                               .addClass("wmd-input")
                               .attr("id", wmdInputId)
-                              .html(initialText))
-                              .append($wmdPreviewContainer); // xss-lint: disable=javascript-jquery-html
+                              .html(initialText)) // xss-lint: disable=javascript-jquery-html
+                              .append($wmdPreviewContainer);
         $elem.append($wmdPanel);
       }
       converter = Markdown.getMathCompatibleConverter(postProcessor);

diff --git a/lms/static/js/edxnotes/views/tab_item.js b/lms/static/js/edxnotes/views/tab_item.js
@@ -1,7 +1,8 @@
 (function(define, undefined) {
     'use strict';
-    define(['gettext', 'underscore', 'jquery', 'backbone', 'js/edxnotes/utils/template'],
-function(gettext, _, $, Backbone, templateUtils) {
+    define(['gettext', 'underscore',
+        'jquery', 'backbone', 'js/edxnotes/utils/template', 'edx-ui-toolkit/js/utils/html-utils'],
+function(gettext, _, $, Backbone, templateUtils, HtmlUtils) {
     var TabItemView = Backbone.View.extend({
         tagName: 'li',
         className: 'tab',
@@ -34,7 +35,7 @@ function(gettext, _, $, Backbone, templateUtils) {
 
         render: function() {
             var html = this.template(this.model.toJSON());
-            this.$el.html(html);
+            this.$el.html(HtmlUtils.HTML(html).toString());
             return this;
         },